Security Presets
security:openssf-scorecard¶
Show OpenSSF badge on pull requests.
{
"packageRules": [
{
"matchSourceUrls": [
"https://github.com/**"
],
"prBodyDefinitions": {
"OpenSSF": "[](https://securityscorecards.dev/viewer/?uri=github.com/{{sourceRepo}})"
},
"prBodyColumns": [
"Package",
"Type",
"Update",
"Change",
"Pending",
"OpenSSF"
]
}
]
}
security:only-security-updates¶
Only update dependencies if vulnerabilities have been detected.
{
"extends": [
"config:recommended"
],
"packageRules": [
{
"enabled": false,
"matchPackageNames": [
"*"
]
}
],
"vulnerabilityAlerts": {
"enabled": true
},
"osvVulnerabilityAlerts": true
}
security:minimumReleaseAgeNpm¶
Wait until the npm package is three days old before raising the update, this prevents npm unpublishing a package you already upgraded to.
{
"npm": {
"minimumReleaseAge": "3 days"
}
}